From 232e0c8411520bcf743460b39dd3466c9f440e4f Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Tue, 12 Jun 2007 01:38:14 +0000 Subject: [PATCH] Refactor signature engines. --- xmltooling/Makefile.am | 1 + xmltooling/security/AbstractPKIXTrustEngine.h | 5 +- xmltooling/security/ChainingTrustEngine.h | 6 +- xmltooling/security/SignatureTrustEngine.h | 123 +++++++++++++++++++++ xmltooling/security/TrustEngine.h | 71 +----------- xmltooling/security/X509TrustEngine.h | 11 +- xmltooling/security/impl/ChainingTrustEngine.cpp | 26 +++-- .../security/impl/ExplicitKeyTrustEngine.cpp | 5 +- xmltooling/xmltooling.vcproj | 4 + 9 files changed, 163 insertions(+), 89 deletions(-) create mode 100644 xmltooling/security/SignatureTrustEngine.h diff --git a/xmltooling/Makefile.am b/xmltooling/Makefile.am index 4d6c00e..25858c4 100644 --- a/xmltooling/Makefile.am +++ b/xmltooling/Makefile.am @@ -75,6 +75,7 @@ secinclude_HEADERS = \ security/KeyInfoCredentialContext.h \ security/KeyInfoResolver.h \ security/OpenSSLCredential.h \ + security/SignatureTrustEngine.h \ security/TrustEngine.h \ security/X509Credential.h \ security/X509TrustEngine.h \ diff --git a/xmltooling/security/AbstractPKIXTrustEngine.h b/xmltooling/security/AbstractPKIXTrustEngine.h index a1f77e2..9c60888 100644 --- a/xmltooling/security/AbstractPKIXTrustEngine.h +++ b/xmltooling/security/AbstractPKIXTrustEngine.h @@ -25,6 +25,7 @@ #define __xmltooling_pkixtrust_h__ #include +#include #include namespace xmltooling { @@ -33,7 +34,7 @@ namespace xmltooling { * A trust engine that uses X.509 trust anchors and CRLs associated with a peer * to perform PKIX validation of signatures and credentials. */ - class XMLTOOL_API AbstractPKIXTrustEngine : public OpenSSLTrustEngine + class XMLTOOL_API AbstractPKIXTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine { protected: /** @@ -49,7 +50,7 @@ namespace xmltooling { * * @param e DOM to supply configuration for provider */ - AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : OpenSSLTrustEngine(e) {} + AbstractPKIXTrustEngine(const xercesc::DOMElement* e=NULL) : TrustEngine(e) {} /** * Checks that either the name of the peer with the given credentials or the names diff --git a/xmltooling/security/ChainingTrustEngine.h b/xmltooling/security/ChainingTrustEngine.h index be2c586..bd97ac9 100644 --- a/xmltooling/security/ChainingTrustEngine.h +++ b/xmltooling/security/ChainingTrustEngine.h @@ -24,13 +24,14 @@ #define __xmltooling_chaintrust_h__ #include +#include namespace xmltooling { /** * OpenSSLTrustEngine that uses multiple engines in sequence. */ - class XMLTOOL_API ChainingTrustEngine : public OpenSSLTrustEngine { + class XMLTOOL_API ChainingTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine { public: /** * Constructor. @@ -105,6 +106,9 @@ namespace xmltooling { ) const; private: std::vector m_engines; + std::vector m_sigEngines; + std::vector m_x509Engines; + std::vector m_osslEngines; }; }; diff --git a/xmltooling/security/SignatureTrustEngine.h b/xmltooling/security/SignatureTrustEngine.h new file mode 100644 index 0000000..6288951 --- /dev/null +++ b/xmltooling/security/SignatureTrustEngine.h @@ -0,0 +1,123 @@ +/* + * Copyright 2001-2007 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file xmltooling/security/SignatureTrustEngine.h + * + * TrustEngine interface that adds validation of digital signatures. + */ + +#if !defined(__xmltooling_sigtrust_h__) && !defined(XMLTOOLING_NO_XMLSEC) +#define __xmltooling_sigtrust_h__ + +#include + +namespace xmlsignature { + class XMLTOOL_API KeyInfo; + class XMLTOOL_API Signature; +}; + +namespace xmltooling { + + class XMLTOOL_API CredentialCriteria; + class XMLTOOL_API CredentialResolver; + + /** + * TrustEngine interface that adds validation of digital signatures. + */ + class XMLTOOL_API SignatureTrustEngine : public virtual TrustEngine { + protected: + /** + * Constructor. + * + * If a DOM is supplied, the following XML content is supported: + * + *
    + *
  • <KeyInfoResolver> elements with a type attribute + *
+ * + * XML namespaces are ignored in the processing of this content. + * + * @param e DOM to supply configuration for provider + */ + SignatureTrustEngine(const xercesc::DOMElement* e=NULL) : TrustEngine(e) {} + + public: + virtual ~SignatureTrustEngine() {} + + /** + * Determines whether an XML signature is correct and valid with respect to + * the source of credentials supplied. + * + *

It is the responsibility of the application to ensure that the credentials + * supplied are in fact associated with the peer who created the signature. + * + *

If criteria with a peer name are supplied, the "name" of the Credential that verifies + * the signature may also be checked to ensure that it identifies the intended peer. + * The peer name itself or implementation-specific rules based on the content of the + * peer credentials may be applied. Implementations may omit this check if they + * deem it unnecessary. + * + * @param sig reference to a signature object to validate + * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine + * @param criteria criteria for selecting peer credentials + * @return true iff the signature validates + */ + virtual bool validate( + xmlsignature::Signature& sig, + const CredentialResolver& credResolver, + CredentialCriteria* criteria=NULL + ) const=0; + + /** + * Determines whether a raw signature is correct and valid with respect to + * the source of credentials supplied. + * + *

It is the responsibility of the application to ensure that the Credentials + * supplied are in fact associated with the peer who created the signature. + * + *

If criteria with a peer name are supplied, the "name" of the Credential that verifies + * the signature may also be checked to ensure that it identifies the intended peer. + * The peer name itself or implementation-specific rules based on the content of the + * peer credentials may be applied. Implementations may omit this check if they + * deem it unnecessary. + * + *

Note that the keyInfo parameter is not part of the implicitly trusted + * set of information supplied via the CredentialResolver, but rather advisory + * data that may have accompanied the signature itself. + * + * @param sigAlgorithm XML Signature identifier for the algorithm used + * @param sig null-terminated base64-encoded signature value + * @param keyInfo KeyInfo object accompanying the signature, if any + * @param in the input data over which the signature was created + * @param in_len size of input data in bytes + * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine + * @param criteria criteria for selecting peer credentials + * @return true iff the signature validates + */ + virtual bool validate( + const XMLCh* sigAlgorithm, + const char* sig, + xmlsignature::KeyInfo* keyInfo, + const char* in, + unsigned int in_len, + const CredentialResolver& credResolver, + CredentialCriteria* criteria=NULL + ) const=0; + }; +}; + +#endif /* __xmltooling_sigtrust_h__ */ diff --git a/xmltooling/security/TrustEngine.h b/xmltooling/security/TrustEngine.h index 0af444c..44bbe91 100644 --- a/xmltooling/security/TrustEngine.h +++ b/xmltooling/security/TrustEngine.h @@ -17,7 +17,7 @@ /** * @file xmltooling/security/TrustEngine.h * - * Evaluates the trustworthiness and validity of signatures against + * Evaluates the trustworthiness and validity of security information against * implementation-specific requirements. */ @@ -26,19 +26,12 @@ #include -namespace xmlsignature { - class XMLTOOL_API KeyInfo; - class XMLTOOL_API Signature; -}; - namespace xmltooling { - class XMLTOOL_API CredentialCriteria; - class XMLTOOL_API CredentialResolver; class XMLTOOL_API KeyInfoResolver; /** - * Evaluates the trustworthiness and validity of XML or raw Signatures against + * Evaluates the trustworthiness and validity of security information against * implementation-specific requirements. */ class XMLTOOL_API TrustEngine { @@ -73,66 +66,6 @@ namespace xmltooling { * @param keyInfoResolver new KeyInfoResolver instance to use */ void setKeyInfoResolver(KeyInfoResolver* keyInfoResolver); - - /** - * Determines whether an XML signature is correct and valid with respect to - * the source of credentials supplied. - * - *

It is the responsibility of the application to ensure that the credentials - * supplied are in fact associated with the peer who created the signature. - * - *

If criteria with a peer name are supplied, the "name" of the Credential that verifies - * the signature may also be checked to ensure that it identifies the intended peer. - * The peer name itself or implementation-specific rules based on the content of the - * peer credentials may be applied. Implementations may omit this check if they - * deem it unnecessary. - * - * @param sig reference to a signature object to validate - * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine - * @param criteria criteria for selecting peer credentials - * @return true iff the signature validates - */ - virtual bool validate( - xmlsignature::Signature& sig, - const CredentialResolver& credResolver, - CredentialCriteria* criteria=NULL - ) const=0; - - /** - * Determines whether a raw signature is correct and valid with respect to - * the source of credentials supplied. - * - *

It is the responsibility of the application to ensure that the Credentials - * supplied are in fact associated with the peer who created the signature. - * - *

If criteria with a peer name are supplied, the "name" of the Credential that verifies - * the signature may also be checked to ensure that it identifies the intended peer. - * The peer name itself or implementation-specific rules based on the content of the - * peer credentials may be applied. Implementations may omit this check if they - * deem it unnecessary. - * - *

Note that the keyInfo parameter is not part of the implicitly trusted - * set of information supplied via the CredentialResolver, but rather advisory - * data that may have accompanied the signature itself. - * - * @param sigAlgorithm XML Signature identifier for the algorithm used - * @param sig null-terminated base64-encoded signature value - * @param keyInfo KeyInfo object accompanying the signature, if any - * @param in the input data over which the signature was created - * @param in_len size of input data in bytes - * @param credResolver a locked resolver to supply trusted peer credentials to the TrustEngine - * @param criteria criteria for selecting peer credentials - * @return true iff the signature validates - */ - virtual bool validate( - const XMLCh* sigAlgorithm, - const char* sig, - xmlsignature::KeyInfo* keyInfo, - const char* in, - unsigned int in_len, - const CredentialResolver& credResolver, - CredentialCriteria* criteria=NULL - ) const=0; }; /** diff --git a/xmltooling/security/X509TrustEngine.h b/xmltooling/security/X509TrustEngine.h index 329103a..aa0a4f1 100644 --- a/xmltooling/security/X509TrustEngine.h +++ b/xmltooling/security/X509TrustEngine.h @@ -17,7 +17,7 @@ /** * @file xmltooling/security/X509TrustEngine.h * - * Extended TrustEngine interface that adds validation of X.509 credentials. + * TrustEngine interface that adds validation of X.509 credentials. */ #if !defined(__xmltooling_x509trust_h__) && !defined(XMLTOOLING_NO_XMLSEC) @@ -27,10 +27,13 @@ namespace xmltooling { + class XMLTOOL_API CredentialCriteria; + class XMLTOOL_API CredentialResolver; + /** - * Extended TrustEngine interface that adds validation of X.509 credentials. + * TrustEngine interface that adds validation of X.509 credentials. */ - class XMLTOOL_API X509TrustEngine : public TrustEngine { + class XMLTOOL_API X509TrustEngine : public virtual TrustEngine { protected: /** * Constructor. @@ -50,8 +53,6 @@ namespace xmltooling { public: virtual ~X509TrustEngine() {} - using TrustEngine::validate; - /** * Determines whether an X.509 credential is valid with respect to the * source of credentials supplied. diff --git a/xmltooling/security/impl/ChainingTrustEngine.cpp b/xmltooling/security/impl/ChainingTrustEngine.cpp index f94c234..1a4fb1a 100644 --- a/xmltooling/security/impl/ChainingTrustEngine.cpp +++ b/xmltooling/security/impl/ChainingTrustEngine.cpp @@ -43,7 +43,7 @@ namespace xmltooling { static const XMLCh _TrustEngine[] = UNICODE_LITERAL_11(T,r,u,s,t,E,n,g,i,n,e); static const XMLCh type[] = UNICODE_LITERAL_4(t,y,p,e); -ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : OpenSSLTrustEngine(e) { +ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : TrustEngine(e) { Category& log=Category::getInstance(XMLTOOLING_LOGCAT".TrustEngine"); e = e ? XMLHelper::getFirstChildElement(e, _TrustEngine) : NULL; while (e) { @@ -53,6 +53,15 @@ ChainingTrustEngine::ChainingTrustEngine(const DOMElement* e) : OpenSSLTrustEngi log.info("building TrustEngine of type %s", temp.get()); TrustEngine* engine = XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(temp.get(), e); m_engines.push_back(engine); + SignatureTrustEngine* sig = dynamic_cast(engine); + if (sig) + m_sigEngines.push_back(sig); + X509TrustEngine* x509 = dynamic_cast(engine); + if (x509) + m_x509Engines.push_back(x509); + OpenSSLTrustEngine* ossl = dynamic_cast(engine); + if (ossl) + m_osslEngines.push_back(ossl); } } catch (exception& ex) { @@ -68,7 +77,7 @@ ChainingTrustEngine::~ChainingTrustEngine() { bool ChainingTrustEngine::validate(Signature& sig, const CredentialResolver& credResolver, CredentialCriteria* criteria) const { - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { + for (vector::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) { if ((*i)->validate(sig,credResolver,criteria)) return true; } @@ -85,7 +94,7 @@ bool ChainingTrustEngine::validate( CredentialCriteria* criteria ) const { - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { + for (vector::const_iterator i=m_sigEngines.begin(); i!=m_sigEngines.end(); ++i) { if ((*i)->validate(sigAlgorithm, sig, keyInfo, in, in_len, credResolver, criteria)) return true; } @@ -99,10 +108,8 @@ bool ChainingTrustEngine::validate( CredentialCriteria* criteria ) const { - X509TrustEngine* down; - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { - if ((down = dynamic_cast(*i)) && - down->validate(certEE,certChain,credResolver,criteria)) + for (vector::const_iterator i=m_x509Engines.begin(); i!=m_x509Engines.end(); ++i) { + if ((*i)->validate(certEE,certChain,credResolver,criteria)) return true; } return false; @@ -115,9 +122,8 @@ bool ChainingTrustEngine::validate( CredentialCriteria* criteria ) const { - OpenSSLTrustEngine* down; - for (vector::const_iterator i=m_engines.begin(); i!=m_engines.end(); ++i) { - if ((down = dynamic_cast(*i)) && down->validate(certEE,certChain,credResolver,criteria)) + for (vector::const_iterator i=m_osslEngines.begin(); i!=m_osslEngines.end(); ++i) { + if ((*i)->validate(certEE,certChain,credResolver,criteria)) return true; } return false; diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp index 61c5290..4630f31 100644 --- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp +++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp @@ -25,6 +25,7 @@ #include "security/CredentialCriteria.h" #include "security/CredentialResolver.h" #include "security/OpenSSLTrustEngine.h" +#include "security/SignatureTrustEngine.h" #include "signature/SignatureValidator.h" #include "util/NDC.h" @@ -40,10 +41,10 @@ using namespace log4cpp; using namespace std; namespace xmltooling { - class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public OpenSSLTrustEngine + class XMLTOOL_DLLLOCAL ExplicitKeyTrustEngine : public SignatureTrustEngine, public OpenSSLTrustEngine { public: - ExplicitKeyTrustEngine(const DOMElement* e) : OpenSSLTrustEngine(e) {} + ExplicitKeyTrustEngine(const DOMElement* e) : TrustEngine(e) {} virtual ~ExplicitKeyTrustEngine() {} virtual bool validate( diff --git a/xmltooling/xmltooling.vcproj b/xmltooling/xmltooling.vcproj index 6511ee6..e85d997 100644 --- a/xmltooling/xmltooling.vcproj +++ b/xmltooling/xmltooling.vcproj @@ -732,6 +732,10 @@ > + + -- 2.1.4